php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32755 Segfault in replaceChild() when DocumentFragment has no children
Submitted: 2005-04-19 00:09 UTC Modified: 2005-04-19 01:09 UTC
From: james at safesearching dot com Assigned:
Status: Closed Package: DOM XML related
PHP Version: 5CVS-2005-04-18 (dev) OS: RedHat 7.3
Private report: No CVE-ID:
 [2005-04-19 00:09 UTC] james at safesearching dot com
Description:
------------
Segfault occurs when calling DOMNode::replaceChild($newNode, $oldNode) if $newNode is a DocumentFragment with no children.

The segfault occurs on line 62 of ext/dom/node.c:

dom_reconcile_ns (doc=0x81aff20, nodep=0x0)
    at /home/james/php5-STABLE-200504182039/ext/dom/node.c:62
62              if (nodep->type == XML_ELEMENT_NODE) {

Code runs test against nodep->type when nodep is NULL.

Was tested on both 5.0.4 (w/ node.c,v 1.29.2.4) and 5.0.5-dev (STABLE-200504182039).

Reproduce code:
---------------
<?php

header('Content-type: text/plain;');

$xml = "<root><first/><second/></root>\n";
$dom = new DomDocument;

$dom->loadXML($xml);

$root = $dom->documentElement;
$frag = $dom->createDocumentFragment();

$root->replaceChild($frag, $root->firstChild);

print_r($dom->saveXML());

?>


Expected result:
----------------
Not exactlly sure... perhaps issue a warning indicating that the DocumentFragment object had no children and remove oldNode? Maybe generate a fatal error?

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 27878)]
dom_reconcile_ns (doc=0x81d0540, nodep=0x0)
    at /home/james/php5-STABLE-200504182039/ext/dom/node.c:62
62              if (nodep->type == NULL) {


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-19 00:12 UTC] james at safesearching dot com
Reproduce code didn't quite make it all the way in... full code is:

<?php

header('Content-type: text/plain;');

$xml = "<root><first/><second/></root>\n";
$dom = new DomDocument;

$dom->loadXML($xml);

$root = $dom->documentElement;
$frag = $dom->createDocumentFragment();

$root->replaceChild($frag, $root->firstChild);

print_r($dom->saveXML());

?>
 [2005-04-19 01:09 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 12:01:52 2014 UTC